Ubuntu

tiff2ps crashed with SIGSEGV in TIFFReadScanline()

Reported by Dekar on 2009-05-25
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tiff (Debian)
Fix Released
Unknown
tiff (Ubuntu)
Medium
Kees Cook
Dapper
Medium
Jamie Strandboge
Hardy
Medium
Jamie Strandboge
Intrepid
Medium
Jamie Strandboge
Jaunty
Medium
Jamie Strandboge
Karmic
Medium
Kees Cook

Bug Description

dekar@dekar-laptop:~$ lsb_release -rd
Description: Ubuntu 8.10
Release: 8.10
dekar@dekar-laptop:~$ apt-cache policy libtiff4
libtiff4:
  Installed: 3.8.2-11
  Candidate: 3.8.2-11
  Version table:
 *** 3.8.2-11 0
        500 http://ftp.hosteurope.de intrepid/main Packages
        100 /var/lib/dpkg/status

It crashes my Jaunty and my Lenny system as well!
The file has recently been used by hackers to run unsigned code on the Sony PSP console (it also uses libtiff) so it is likely to allow code execution on Ubuntu as well. The PSP has a MIPS CPU so the file I uploaded shouldn't do any harm to a normal x86er system (except the crash) - though I don't guarantee anything ;)

To try the exploit simply extract it to a folder and wait till Nautilus tries to generate a thumbnail. It even crashed my Firefox when I tried to upload it uncompressed.

Dekar (dekar-wc3edit) wrote :
visibility: private → public
vhahn (victor-tirm) wrote :

also crashes Konqueror

Changed in tiff (Ubuntu):
status: New → Confirmed
Dekar (dekar-wc3edit) on 2009-05-26
Changed in debian:
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

I can confirm this as well. Simply using tiff2ps (from libtiff-tools) on the file causes a segmentation fault.

Changed in tiff (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
summary: - Tiff exploit crashes libtiff and applications using it. Code execution
- is most likely possible!
+ PSP tiff exploit crashes libtiff4
Changed in tiff (Ubuntu Dapper):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Hardy):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Intrepid):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Jaunty):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)

Why did you remove the code execution part? If this libtiff exploit is able to execute code on a MIPS CPU it is really likely it could do the same on x86er using exactly the same library! And since code execution is likely it should be critical and not medium!

Jamie Strandboge (jdstrand) wrote :

The summary was cleaned up because it was too long, however the description is left intact. The bug was initially set to medium as per https://wiki.ubuntu.com/SecurityTeam/BugTriage#Priority. This may change after further evaluation of the bug.

Dekar (dekar-wc3edit) wrote :

So when will this critical bug be fixed? Do you wait till there is abuse first - and thousands of users are infected with trojans?

Kees Cook (kees) wrote :

I've attached the reproduction of the crash in a duplicate bug. At first glance, this appears to be a NULL-offset, but since it's so large, it's unclear if there is arbitrary control over the destination of the %al byte being written.

SegvAnalysis:
 Segfault happened at: 0x7f2131398308: mov %al,(%rcx)
 PC (0x7f2131398308) ok
 source "%al" ok
 destination "(%rcx)" (0x008effff) not located in a known VMA region (needed writable region)!

summary: - PSP tiff exploit crashes libtiff4
+ tiff2ps crashed with SIGSEGV in TIFFReadScanline()
Kees Cook (kees) wrote :

To speak to your MIPS vs x86 issue, they are different architectures, so it is not immediately obvious if x86 (or Ubuntu, given its ASLR, stack/heap protections, etc) is vulnerable. Regardless, it needs fixing.

Kees Cook (kees) wrote :

Rather, it's walking backwards off the heap. 0x8effff is just before the heap allocation at 0x8f0000. wololo's discussion of the issue is here:
http://www.lan.st/showthread.php?t=1856&page=3

Kees Cook (kees) wrote :

Upstream bug opened:
http://bugzilla.maptools.org/show_bug.cgi?id=2065

Developed possible patch.

Kees Cook (kees) on 2009-06-22
affects: debian → tiff (Debian)
Changed in tiff (Debian):
importance: Undecided → Unknown
status: Confirmed → Unknown
Changed in tiff (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → Kees Cook (kees)
status: Confirmed → Fix Committed
Changed in tiff (Debian):
status: Unknown → New
Kees Cook (kees) on 2009-06-29
security vulnerability: yes → no
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-7ubuntu3.2

---------------
tiff (3.8.2-7ubuntu3.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via buffer underflow in the
    LZWDecodeCompat function (LP: #380149)
    - debian/patches/CVE-2009-2285.patch: abort if code is bigger than
      CODE_CLEAR in libtiff/tif_lzw.c.
    - CVE-2009-2285

 -- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:54:05 -0400

Changed in tiff (Ubuntu Hardy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-11ubuntu0.8.10.1

---------------
tiff (3.8.2-11ubuntu0.8.10.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service via buffer underflow in the
    LZWDecodeCompat function (LP: #380149)
    - debian/patches/CVE-2009-2285.patch: abort if code is bigger than
      CODE_CLEAR in libtiff/tif_lzw.c.
    - CVE-2009-2285

 -- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:38:08 -0400

Changed in tiff (Ubuntu Intrepid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-11ubuntu0.9.04.1

---------------
tiff (3.8.2-11ubuntu0.9.04.1) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service via buffer underflow in the
    LZWDecodeCompat function (LP: #380149)
    - debian/patches/CVE-2009-2285.patch: abort if code is bigger than
      CODE_CLEAR in libtiff/tif_lzw.c.
    - CVE-2009-2285

 -- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:38:08 -0400

Changed in tiff (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in tiff (Ubuntu Dapper):
status: Confirmed → Fix Released
Kees Cook (kees) wrote :

tiff (3.8.2-13) unstable; urgency=high

  * Apply patches to fix CVE-2009-2347, which covers two integer overflow
    conditions.
  * LZW patch from last update addressed CVE-2009-2285. Renamed the patch
    to make this clearer.

 -- Jay Berkenbilt <email address hidden> Sun, 12 Jul 2009 18:03:33 -0400

tiff (3.8.2-12) unstable; urgency=low

  * Apply patch to fix crash in lzw decoder that can be caused by certain
    invalid image files. (Closes: #534137)
  * No longer ignore errors in preinst
  * Fixed new lintian warnings; updated standards version to 3.8.2.

 -- Jay Berkenbilt <email address hidden> Sun, 28 Jun 2009 13:17:44 -0400

Changed in tiff (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in tiff (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.